1. Field of the Invention
The present invention relates to a database access method and system and, more particularly, a database access method and a data retrieval system, especially, a data relay server and a database server system capable of concealing the contents of a query for data retrieval requested from the user or an application program from the manager of a database.
2. Description of the Related Art
With the advance and spread of the network technology such as the Internet, an increasing number of computers are connected to networks. In association with this, information providing service of providing various information to the users via networks is being widely used. Good examples of the information providing service are a patent information retrieval system and a gene arrangement information retrieval system.
The users of such information providing service access computers providing the information service via networks from various computers or terminals. In the following description, the computer or terminal operated by the user will be called a client computer, and the computer for providing information service will be called a server computer or DB server. Under the present circumstances, as client computers, a workstation, a personal computer, a small portable terminal, and a portable telephone are often used. As server computers, a mainframe, a UNIX server, and a PC server are often used.
To access the information providing service, the user uses dedicated software or a WEB browser on the client computer. On the other hand, data management and retrieval on the server computer for providing information service are usually performed by a database management system (hereinbelow, called a DBMS).
In an access to information providing service, for example, in the case of retrieving gene arrangement information or patent information, it is desirable for the user that who accessed the information under which conditions can be concealed, that is, confidentiality of the name of the user who accessed the information and the contents of retrieval is ensured for the following reason. In the retrieval of gene arrangement retrieval, patent keyword retrieval, and the like, a condition itself designated by a query is a confidential item, so that retrieval of information while ensuring the confidentiality is important to promote product development and research and development.
By a conventional security technique, for example, (1) protection on communication information against phone tapping on a network and (2) user authentication on the server side to prevent an unauthorized access are realized.
Known security realizing methods include a method of using an encryption protocol such as SSL (Secure Socket Layer) between a client computer and a server computer which perform communication with each other and, as shown in FIG. 13, a method of transferring an encrypted inquiry 202 from a client computer 10 via a network 203 to a server computer 205 for providing information service, in the server computer 205, transferring the encrypted inquiry 202 received by a network interface 206 to a query decryption unit 210, decrypting the encrypted inquiry 202 by the query decryption unit 210, and searching a database 211 in accordance with the decrypted inquiry condition by a DBMS 208. A retrieval result 207 is encrypted as necessary, and the encrypted result is sent to the client computer 10 via the network interface 206 and the network 203.
In the conventional method, however, although the inquiry 202 is transferred in the encrypted state on the network, since the searching process is performed in a state where the inquiry is decrypted in the server computer 205, the contents of the retrieval the user wishes to make them confidential is not concealed from the server computer. Consequently, there is a danger that the contents of the retrieval as confidential information are leaked to the ill-intentioned manager on the server side.
In the conventional database access via a network, information is secured on condition that the server is reliable. In the case where a retrieval condition itself designated by a query is the target of confidentiality, it is difficult to make retrieval while concealing the contents of the retrieval from the others.
“Data Retrieval System” disclosed in Japanese Unexamined Patent Application No. 11-259512 (Literature 1) is a system for preventing leakage of confidentiality of the location of the user, retrieval conditions, and the like from history data of a database trace of a retrieval server by (1) eliminating conditions corresponding to pre-registered confidential items from conditions of a query sent from the user, (2) replacing a condition value with a similar term or a broader term by using an inclusive relation (conceptual hierarchy) of the condition value, (3) dividing the input retrieval condition, and (4) allowing a proxy server installed between a data retrieving apparatus and a data retrieval server to access the data retrieval server.
According to the conventional technique disclosed in Literature 1, a part of confidential information of the user can be concealed from the server, but there is a problem such that the retrieval conditions are acquired by the server. For example, in fields where a value of a retrieval condition such as name or gene arrangement is difficult to be replaced with another term by using the inclusive relation, there is a problem such that the retrieval condition cannot be sufficiently concealed.
According to “resident basic register file system” disclosed in Japanese Unexamined Patent Application No. 64-14665 (Literature 2), by encrypting resident basic register data at the time of data input to store the encrypted data into a data file, the resident basic register file is prevented from being accessed to obtain personal information by an ill-intentioned person. In the conventional technique disclosed in Literature 2, when data registered in the resident basic register file is matched with user inquiry data, the encrypted data stored in the data file is decrypted, and the inquiry from the user is not concealed on the server side. If the manager of the server has an ill intention, a problem such that the contents of the query are known by the manager arises.
According to “Method and medium for recording personal information” disclosed in Japanese Unexamined Patent Application No. 11-272681 (Literature 3), in consideration of the problem of Literature 2 that retrieving efficiency in association with data decryption is low and there is a condition which cannot be retrieved according to an encrypting method, a personal information recording method in which it is unnecessary to encrypt whole file data is proposed. According to the method, (1) personal information is divided into a basic information file for storing a basic data item and an attribute information file for storing the other data, (2) a special code for associating the two files with each other is used as a personal code for specifying the personal information, and (3) as necessary, the personal code is encrypted. The conventional technique, however, also has a danger of leakage of the condition on the server side since the retrieval condition designated by the user is not encrypted like the technique of Literature 2.
According to “Method and apparatus for secure storage of data” disclosed in U.S. Pat. No. 5,963,642 (Literature 4), data itself to be stored in a database is converted in a bit map, a query of the user is also converted in a similar bit map, and a retrieval is made by using the bit maps without decrypting the query. In the conventional technique disclosed in Literature 4, however, all of data to be stored in a server has to be preliminarily encoded in the form of a bit map, so that it is difficult to apply the method to an existing database.